Why SAML?

Interoperable – SAML provides a set of interoperable standard interfaces. Standardizing the interfaces between systems allows for faster, cheaper, and more reliable integration

Platform neutrality. SAML abstracts the security framework away from platform architectures and particular vendor implementations. Making security more independent of application logic is an important tenet of Service-Oriented Architecture.

Loose coupling of directories. SAML does not require user information to be maintained and synchronized between directories.

Improved online experience for end users. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. In addition, identity federation (linking of multiple identities) with SAML allows for a better-customized user experience at each service while promoting privacy.

Reduced administrative costs for service providers. Using SAML to ‘reuse’ a single act of authentication (such as logging in with a username and password) multiple times across multiple services can reduce the cost of maintaining account information.This burden is transferred to the identity provider.

Risk transference. SAML can act to push responsibility for proper management of identities to the identity provider, which is more often compatible with its business model than that of a service provider.

Roles

Principal

Requests a service from Service Provider

Identity Provider (IdP)

Asserting party – Authenticates the identity

Service Provider (SP)

requests and obtains an authentication assertion from the identity provider

SAML Security

TLS 1.0+ for transport level

XML Signature and XML Encryption for message-level security

Terminology

Assertion Queries

To load back assertion from cache

Attribute Queries

Lazy load user claims. Say user is part of 100s of groups. Not a good idea to pass all the attributes in single assertion. This feature can be used to load other information by making back channel call